SB2026060531 - Multiple vulnerabilities in Progress MOVEit WAF

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026060531

SB2026060531 - Multiple vulnerabilities in Progress MOVEit WAF

Published: June 5, 2026

Security Bulletin ID SB2026060531
CSH Severity
Critical
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

Critical 50% Medium 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 vulnerabilities.


1) Command injection (CVE-ID: CVE-2026-8037)

CWE-ID: CWE-77 - Command injection

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Red


The vulnerability allows a remote attacker to execute arbitrary commands.

The vulnerability exists due to command injection in the API when processing unsanitized input. A remote attacker can send crafted API input to execute arbitrary commands.


2) Improper Handling of Case Sensitivity (CVE-ID: CVE-2026-33691)

CWE-ID: CWE-178 - Improper Handling of Case Sensitivity

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote attacker to execute arbitrary code.

The vulnerability exists due to improper handling of whitespace in file upload extension checks in file upload detection rules 933110, 933111, and 944140 when processing uploaded filenames. A remote attacker can upload a file with a whitespace-padded dangerous extension to execute arbitrary code.

Exploitation is environment-dependent and requires a backend that normalizes or strips whitespace from filenames before executing uploaded files.


Remediation

Install update from vendor's website.

References